MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 898cc141ffb06332c3fd9d6bc233b7ebba9daa93ff7112ab66c103289cdb8ba1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	898cc141ffb06332c3fd9d6bc233b7ebba9daa93ff7112ab66c103289cdb8ba1
SHA3-384 hash:	8c72a9427b654ebafb3d3db0f72148a6558e1d11cde30d660a62a21a40e525095a7ecf45dea7c61c7ab856a7c1bd2c38
SHA1 hash:	29cc2f4dd99c47692b833066a5e4b6d531575109
MD5 hash:	0d0b4ca609b30cb8129b055c27ca3e63
humanhash:	nine-ink-cold-triple
File name:	Catalogue.pdf
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	721'920 bytes
First seen:	2020-06-08 07:12:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fd8135b0036737f4378aeccc98fbd15a (9 x Loki, 9 x AgentTesla, 2 x HawkEye)
ssdeep	12288:gEv8FVujUpVTWgThfJ614X5p/iYHI0Oq8M0oko8ZiFhDF8KSpTTj/XXor+pwvVgY:gEEbuQ9WmD1HITPTnXXoryw9gn6wXU
Threatray	11'737 similar samples on MalwareBazaar
TLSH	14E4AF2DE2A04833E173157D5F1FD778982EBE61291419822FE5DC4CAFA93893D37186
Reporter	abuse_ch
Tags:	AgentTesla pdf

abuse_ch

Malspam distributing unidentified malware:

HELO: vps8633.inmotionhosting.com
Sending IP: 74.124.197.21
From: SDLG <info@sdlgemea.com>
Subject: Company Introduction
Attachment: Catalogue.pdf

Intelligence

File Origin

# of uploads :

1

# of downloads :

143

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

SecuriteInfo.com.Win32.Herz.B.5937.21320.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.LokiBot

Status:

Malicious

First seen:

2020-06-07 22:55:05 UTC

AV detection:

29 of 31 (93.55%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rggmcqp7wbrtfq75tvv4em5x5o5j3kut75yrfk3gyebsrhg3roqq._file

Verdict:

malicious

Label(s):

agenttesla

hawkeyekeylogger

Similar samples:

0d855940e7eef77c65a23ef145ddc88840b0931a79f7de42384b42a408178d62

36b1d505b9169fcf6c35cc4337b3e87b71f535424960e78cb5063582fd99840d

5e095f19ee1f47f01ee5dad9828fef4bd1047feb4860765b5ac387b2ac371330

7c15dd07b223275e68dd8034583f12a73fc19f2d42abede56ed8d0dfdc92edc6

83f30281a5e505534920c9b752097032706f1856ea85e75c6af492c2e8c7dd32

9855128084d3f64cad749acea4eae6e76615e7bb2af406cfbc7a3e0c8932ab2c

b0eec8bd5f60b70b27546edbe4d16f2316d58dbeb8ebc478df7ed3cb7c1e762d

c6e26d183274fdfc63535e49ede53c4e7894de05f0054341bb031598186f138c

e24a3fe957675ab9e6815582079bf483dd6f0b75e744b51d6f71d4fdcb301da0

e6628501ee0344c1e6c7adc92944f5ddc7c784c1ac6278bdd7b66164b01707d3

+ 11'727 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan upx

Link:

https://tria.ge/reports/201109-whqa13pzvj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies service

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

UPX packed file

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

exe 898cc141ffb06332c3fd9d6bc233b7ebba9daa93ff7112ab66c103289cdb8ba1

(this sample)

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample